Engine Yard Developer Center

March 2019 RubyGems Security Advisories

Various vulnerabilities have been discovered in older Rubygems versions and it is recommended to upgrade to versions 2.7.8. Please see this Rubygems blog post for further information regarding the vulnerabilities themselves. At this time the platform does not support Rubygems 3.x due to gem installation changes that are incompatible with platform gem installation methods.

Solution

At this time these latest versions of Rubygems are not offered in the Rubygems selection for the environment, so should be installed via custom Chef.

Engine Yard Gentoo 12.11 (stable-v4)

Make use of this custom chef recipe: https://github.com/engineyard/ey-cloud-recipes/blob/rubygems-update-march-2019/cookbooks/rubygems-update/recipes/default.rb

Please refer to this KnowledgeBase article if you need help in getting started with V4 custom chef recipes.

Engine Yard Gentoo 16.06 (stable-v5)

Add this block to the end of cookbooks/ey-custom/recipes/after-main.rb:

execute "Update to rubygems 2.7.8" do
  command "gem install -v 2.7.8 rubygems-update && update_rubygems"
end

Please refer to https://github.com/engineyard/ey-cookbooks-stable-v5#usage if you need help in getting started with V5 custom chef recipes.

Note

Please test this upgrade on a staging or clone environment before upgrading production. To test, after upgrading Rubygems run an rm -rf /data/_app_/shared/bundled_gems then deploy your application. Also check the bundle command on the instance. To do this SSH to the instance as the deploy user and issue a bundle command, for example: cd /data/_app_/current && bundle exec gem list.

One issue we have seen at this time is related to the use of Bundler 2 to bundle gems on development systems. If you see issues please check that BUNDLED WITH in your Gemfile.lock file states a version lower than 2, and downgrade your local Bundler version if required.

Should you require assistance with any issues please contact Engine Yard Support.

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

Article is closed for comments.

Powered by Zendesk